STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Attack PatternCampaignCourse of ActionGroupingIdentityIncidentIndicatorInfrastructureIntrusion SetLocationMalware AnalysisMalwareNoteObserved DataOpinionReportThreat ActorToolVulnerability
Relationship Objects
Cyber-observable Objects
Meta Objects
Bundle Object
Domain Objects

Tool

Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.

The Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool.

This SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedname
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Tool Specific
aliasestool_typesnamedescriptiontool_versionkill_chain_phases
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `tool`.
aliasesoptional
list of stringAlternative names used to identify this Tool.
tool_typesoptional
list of stringThe kind(s) of tool(s) being described. Open Vocab - tool-type-ov
namerequired
stringThe name used to identify the Tool.
descriptionoptional
stringProvides more context and details about the Tool object.
tool_versionoptional
stringThe version identifier associated with the tool.
kill_chain_phasesoptional
list of objectThe list of kill chain phases for which this Tool instance can be used.

Relationships

These are the relationships explicitly defined between the Tool object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Threat Actor

Previous Page

Vulnerability

Next Page

On this page

PropertiesRelationships